NHS-approved health apps leaking private data

NHS Choice's Health Apps Library of approved wellbeing software assures users that their data will be safe -- but a new study has found that several apps flout this promise and put private personal data at risk.

Launched in 2013, the NHS Health Apps Library offers a comprehensive list of smartphone apps for clinical and personal use.

Advertisement

These apps, which include services for mental health, cancer and diabetes, are intended to be suitable for both professional recommendation and non-clinical use. Accreditation programs had recently been put into place to provide clinical assurances about safety, with apps checked to ensure they complied with data protection laws and safeguard against unauthorised access to data.

But when researchers at Imperial College London assessed 79 of these apps, they found that none of the apps encrypted personal information.

Read next

Ebola is back: WHO confirms outbreak in DR Congo following three deaths

ByMatt Burgess

A further 66 percent of those apps sending identifying information over the internet did not use encryption and 20 percent had no privacy policy. Four of the apps sent both identifying and health information without encryption, with two cases appearing to place users at risk of data theft.

So far there is no evidence users have had their data compromised, but the researchers said developers should respond and put more checks in place. "The likelihood of any single user having their data stolen is small," Kit Huckvale, a PhD student at Imperial College and co-author of the study, told WIRED. "But we know from recent high-profile data thefts that these kinds of things can happen. There's no reason that health apps shouldn't be using industry standard methods to protect data, particularly given that health data can be sensitive".

Advising users on protection from data theft, Huckvale suggests double checking privacy policies and contacting developers for clarity if needed. "A useful starting point would be to treat a health app - whatever the source -- like a random website you’ve encountered. Just as you wouldn’t start entering your data into a website without knowing a bit about it, you shouldn't assume that an app is secure".

Advertisement

Mariarosaria Taddeo, an expert on cyber-security at the Oxford Internet Institute, also stressed the importance of protecting personal data. "The dissemination of smart objects comes with enormous opportunities to improve private and public life," she told WIRED. "Nonetheless, such benefits are jeopardised if and when the ethical challenges that they pose are overlooked. In this case, users' privacy and trust have been breached."

"This study highlights the need to include ethical consideration both at design and deployment stage to ensure that fair data handling, privacy and transparency are protected and fostered at all times, and that technological developments do not come at the cost of users’ rights."

A spokesperson for NHS Choices stressed that action has been taken to protect users from data theft. "We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated," the spokesperson told WIRED. "A new, more thorough NHS endorsement model for apps has begun piloting this month which will be more robust".